Recover soft-deleted mailboxes in an Exchange Hybrid scenario

I have encountered a lot of situations where IT Administrators have difficulties in recovering a mailbox that was deleted from Office 365 active mailboxes, while having an Exchange Hybrid environment, so I’m creating this article to help Administrators perform a correct recovery and to avoid the situations like creating duplicate users with blank mailboxes.

Scenario1: Recover a mailbox that was deleted due to Directory Synchronization filtering changes:

Most of the organizations do not sync the whole Active Directory database and prefer to use filtering to narrow the Directory Synchronization (AADConnect) scope only to the users the company needs to sync to O365.

If a user is moved from a synced Organizational Unit (OU) into a non-synced OU, next time the AADConnect will perform a delta sync, the Office365 user will be moved from Active Users into Deleted Users and as a consequence the associated mailbox will be moved to Soft-Deleted mailboxes and kept there for 30days, during this time the administrator can very easily recover the deleted mailbox by applying the below logic:

Demo: For the purpose of this demo, I will use an AD account that has the following UserPrincipalName(UPN): PodByteSize1@scdtech.co

Let’s reproduce the issue:

Log into the on-premises server that is hosting the Directory Synchronization engine (in my case AADConnect) and check what OUs are synced

For example, in my test environment I’m only synching one Organizational Unit (OU):

Move the user to a non-synced OU

Perform a sync:

Open a standard Windows Powershell window (on the server hosting the AADConnect) and run the below cmdlets:

Only the Get-Mailbox PodByteSize1 -SoftDeletedMailbox & Get-MsolUser –UserPrincipalName PodByteSize1@scdtech.co –ReturnDeletedUsers will return a result which is telling us that the mailbox and the user associated with it, are in a soft delete state.

What if the two cmdlets return multiple entries, for example what if the Get-MsolUser –UserPrincipalName <UPN> –ReturnDeletedUsers return two or more entries, which user is associated to our mailbox?

In this scenario, we do not really need to know the answer to the above question because the recovery is triggered by actions performed in the on-premises environment and the mailbox restauration is pretty straight forward and easy.

All you need to do is move the user back into the OU the user originally resided. Assuming that the OU the user was previously in is still being synchronized, the next time Directory Synchronization complete, the user and all associated data will be restored. By default, directory synchronizations occur every thirty minutes and after you move the user back to the proper OU you must wait for the next sync cycle to take place. However, if you are like me and cannot wait, then you can force the synchronization by running this cmdlet into Powershell: Start-ADSyncSyncCycle -PolicyType Delta

Move the user back to a synced OU

Open a PowerShell window and run Perform a sync: Start-ADSyncSyncCycle -PolicyType Delta

Check that the mailbox is in an active state: Get-Mailbox scenario1 | FT Identity, WhenCreated, WhenChanged -> You will notice that the mailbox is now active and it will be accessible by using the credentials of the user from AD.

If your Active Directory is hosted on Windows Server 2008 R2 or above, then you can enable the Active Directory Recycle Bin feature. This feature is very useful in situations when you need to recover a user that was permanently deleted from you AD.

To verify if you AD has this feature enabled, you can check by running the following cmdlets in a Windows PowerShell on a Domain Controller:

Import-Module ActiveDirectory

Get-ADOptionalFeature -Filter 'name -like "Recycle Bin Feature"'

In the output, we have a parameter called EnabledScopes, if this parameter is blank then this feature is not enabled. When this feature is enabled, the value of EnabledScopes wil be similar to this one:

Only the Get-Mailbox PodByteSize2 -SoftDeletedMailbox and Get-MsolUser –UserPrincipalName PodByteSize2@scdtech.co –ReturnDeletedUsers

should return an entry.

Now that we reproduced the scenario how do we recover this mailbox?

Solution:

First thing we need to do is to recover the AD user from recycle bin:

The below cmdlet will produce a list of all AD objects found in the dumpster and we need to check the properties to understand which user to restore, like the whenChanged date. If by analyzing this date, we it is still unclear which user we need to recover then we need to use PowerShell to see which ObjectGuid of the AD User matches the ImmutableID of the MsolUser(office 365):

Thank you very much for your comment. I haven’t touched this scenario partially because the recovery is very similar with the last scenario in the article, but I will add a new scenario to this article next week.
Thank you for your feedback, it is always helpful and constructive.